[Samba] idmap limit?
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Tue Jan 16 15:20:52 UTC 2018
Hi,
no, that's my fault. I changed the UIDs and user names in my "ls -l" to
unpersonalized/example data for my mail and didn't think about putting
these values into the range. A better unpersonalized data example would
look like:
----------
drwx------ 43 DOM\user1 DOM\group 4096 Jan 10 08:00 user1
drwx------ 5 DOM\user2 DOM\group 4096 Jan 11 08:13 user2
drwx------ 3 10234 DOM\group 4096 Sep 7 2015 user3
drwx------ 7 10235 DOM\group 4096 Apr 30 2013 user4
drwx------ 12 DOM\user5 DOM\group 4096 Jan 4 12:46 user5
drwx------ 2 10236 DOM\group 4096 Jul 1 2015 user6
....
When we run a "wbinfo --uid-info" for an unmapped user, we are getting:
> wbinfo --uid-info=10234
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10234
When we run "wbinfo -i" for that user, everything works fine.
> wbinfo -i DOM\\user3
DOM\user3:*:10234:10001::/home/user3:/bin/bash
After the last command (wbinfo -i DOM\\user3) also "wbinfo
--uid-info=10234" shows the correct result and the "ls -l" list also
list the user name instead of the uid.
---------
Am 16.01.2018 um 16:06 schrieb Rowland Penny via samba:
> On Tue, 16 Jan 2018 15:22:44 +0100
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> we are running a file server as member server of a windows 2012
>> domain. Now we are facing the problem, that some UIDs are not mapped
>> to the user names by the running winbindd process. This results in
>> "nobody" usernames for nfs shares mounted by other clients.
>>
>> When doing an "ls -l" in the homes directory on the member server
>> (file server), the list looks like:
>>
>> drwx------ 43 DOM\user1 DOM\group 4096 Jan 10 08:00 user1
>> drwx------ 5 DOM\user2 DOM\group 4096 Jan 11 08:13 user2
>> drwx------ 3 1234 DOM\group 4096 Sep 7 2015
>> user3 drwx------ 7 1235 DOM\group 4096 Apr 30
>> 2013 user4 drwx------ 12 DOM\user5 DOM\group 4096 Jan 4
>> 12:46 user5 drwx------ 2 1236 DOM\group 4096
>> Jul 1 2015 user6 ....
>>
>> When we run a "wbinfo --uid-info" for an unmapped user, we are
>> getting:
>>
>> > wbinfo --uid-info=1234
>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for uid 1234
>>
>> When we run "wbinfo -i" for that user, everything works fine.
>>
>> > wbinfo -i DOM\\user3
>> DOM\user3:*:1234:1000::/home/user3:/bin/bash
>>
>> After the last command (wbinfo -i DOM\\user3) also "wbinfo
>> --uid-info=1234" shows the correct result and the "ls -l" list also
>> list the user name instead of the uid.
>>
>> So the question is, if there is any limit for the UID to user name
>> mapping in winbind, since the problem started while increasing the
>> number of clients and users.
>>
>> smb.conf looks like:
>>
>> [global]
>> security = ADS
>> workgroup = DOM2
>> realm = DOM2.DOM.EXAMPLE.DE
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> template homedir = /home/%U
>> template shell = /bin/bash
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-2999
>> idmap config DOM2 : backend = rid
>> idmap config DOM2 : range = 3000-9999 # UID aus RID für POOL
>> idmap config DOM : backend = rid
>> idmap config DOM : range = 10000-9999999 # UID aus RID für DOM
>>
>> winbind refresh tickets = yes
>>
>> nsswitch.conf looks like:
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>> gshadow: files
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>> sudoers: files
>>
>> idmapd.conf looks like:
>>
>> [General]
>>
>> Verbosity = 0
>> Pipefs-Directory = /run/rpc_pipefs
>> Domain = dom2.dom.example.de
>> Local-Realms = DOM2.DOM.EXAMPLE.DE,DOM.EXAMPLE.DE
>>
>> [Mapping]
>>
>> Nobody-User = nobody
>> Nobody-Group = nogroup
>>
>> krb5.conf looks like:
>>
>> [libdefaults]
>> default_realm = DOM2.DOM.TU-DRESDEN.DE
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>>
>>
> Is the user '1234' stored in AD or /etc/passwd ?
>
> From the number '1234' it is not a member of 'DOM' (range
> 10000-9999999), or 'DOM2' (range 3000-9999) or a member of '*' (range
> 2000-2999), it looks like it is probably a local Unix user.
>
> Rowland
>
>
--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"
----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering
D-01062 Dresden
Germany
phone : +49 (351) 463 38496
fax : +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de
More information about the samba
mailing list